How to disable your firewall in rescue mode ?

About

When working with firewalls such as firewalld, the unexpected can happen and you can be locked out of your vps.

Many VPS provider provides a rescue mode that permits to get access back to your disk called a rescue mode.

This how-to shows you how to disable your firewall but you may use it to perform any other maintenance operations.

Steps

Reboot your VPS in rescue mode

To reboot your VPS in rescue mode, you should go to the administration website of your VPS. They would have then an action in order to reboot your VPS in rescue mode.

The rescue mode is just:

  • a new machine that boots on a minimal disk with a minimal OS
  • and attach your disk

You get then access to your file and disk. You can perform administrative task such as:

  • deactivate your firewall
  • backup or data recovery
  • update your network configuration files
  • etc.

They should send you via email or via their dashboard the root and password credentials of the new virtual machine created.

Login to the rescue VPS and check the disks

Once you have login to your machine, the prompt should indicate you that it's in a rescue mode.

[RESCUE] root@vps-427a1b7c:/ $ 

You can list the disk partitions with the lsblk command.

lsblk
NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda      8:0    0  2.5G  0 disk
└─sda1   8:1    0  2.5G  0 part /
sdb      8:16   0   80G  0 disk
└─sdb1   8:17   0   80G  0 part

The above output shows two disks device:

  • sda1 of 2.5 Gb mounted at the root, the new VPS
  • sdb1 of 80 Gb, not mounted, the disk of your machine that contains all your data.

In a non-rescue mode, you would see only your disk.

NAME   MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda      8:0    0  80G  0 disk
└─sda1   8:1    0  80G  0 part /

Mount your disk to access your data

To get access to the data on your disk, you need to mount it.

  • Create a mount point if necessary (ie directory where your data will be available)
# /mnt may be already created
mkdir /mnt
  • Mount your disk into this directory
mount /dev/sdb1 /mnt
  • Check that you have access to your data
  • Modify the root of the file system. It's not always needed but all process and file system will think logically that the root of the file system / is now /mnt.
chroot /mnt

At this stage, you have access to your disk, you can search file

  • by name
find . -name myfile.myextension
  • or by content with a pattern
grep -rnw . -e 'how to disable ?'

Disable your firewall service

A service is just a symbolic link in a directory that points to a file:

To disable a service, you just:

  • delete this symlink
  • or recreate a symlink to devnull (meaning that the file does not exists) This technic is also called masking the service

For systemd, the location of this service link is /etc/systemd/system/.

For instance, to disable firewalld, you would create the symlink with the following command

ln -s /dev/null /etc/systemd/system/firewalld.service

You could also just check and modify the configuration of your firewall. For firewalld, the data are stored in the zones located at

/etc/firewalld/zones

And there is also a backup with an old suffix. For instance, for a public zone.

/etc/firewalld/zones/public.xml.old

Below is an example of a bad public zone configuration that got mess up by firewall-cmd because the ipset nl was deleted before the rule.

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <rule family="ipv4">
    <source ipset="nl" invert="True"/>
    <service name="ssh"/>
    <drop/>
  </rule>
</zone>

Reboot

The reboot should happen in the dashboard of your VPS provider because it needs to recreate a VPS with your disk.

Correct your configuration and unmask your service

Example:

systemctl unmask firewalld
systemctl start firewalld
  • or directly from the file system
unlink /etc/systemd/system/firewalld.service

Documentation / Reference





Discover More
Firewalld - A list of common How-to's

This page regroups a list of how to around the firewall firewalld If your firewall is locking you out of your machine, this article will explains you how to disable it and take control...
Chrome Site Cant Be Reached
How to allow only the HTTP traffic from a subnet such as Cloudflare with Firewalld?

This article is a step by step that shows you how to configure the firewall Firewalld to allow the network packet traffic from a subnet such as Cloudflare
How to restrict your traffic to a country with Firewalld / Iptable? (ie packet filtering by country)

A step-by-step on how to configure your iptable firewall with firewalld to allow only requests originating from a country



Share this page:
Follow us:
Task Runner